A preview of the new NIST Cybersecurity Framework

The NIST Cybersecurity Framework has become the de facto set of guidelines for critical infrastructure organizations to assess information security risk and implement adequate cybersecurity measures to manage risk, while protecting consumer privacy.

Since being published in February 2014, the framework has been adopted by organizations in many industries to address cyber risk management needs. Its purpose is to help organizations effectively identify, protect, detect, respond, and recover from cyber threats. In May 2017, implementation within US federal agencies became mandatory.

On December 5, 2017, NIST released a revised draft. The Cybersecurity Framework v1.01 draft 2 is more comprehensive and easier to use. The feedback window closed on January 19, 2018, but not before organizations such as the Social Security Administration, Microsoft, Pfizer, and Kaiser Permanente weighed in.

What to expect from the finalized NIST Cybersecurity Framework this spring

Elaborations on definitions, descriptions, and processes:

  • Steps to identifying stakeholders
  • Cyber risks associated with an organizational supply chain
  • Methods for handling security gaps within the supply chain itself
  • Clarification on other management processes

Measuring risk: There are several revised areas pertaining to risk assessment, including the section on measuring and demonstrating cybersecurity effectiveness. NIST added a new section on conducting a cyber risk self-assessment. The risk section also explains how organizations can identify, measure, and manage cyber risk to support overarching business goals.

The latest draft provides a standard means to effectively communicate that risk to suppliers, partners, and other stakeholders in order to reduce misinterpretation.

Identity and access control: Provides additional clarity around concepts such as user authentication, authorization, and identity proofing. NIST also provides guidance on enabling secure access across emerging Cloud, mobile, and other computing technologies.

Other changes include:

  • Supply chain management guidance enhancements
  • Updates to Informative References

Take adequate measures to protect the data your organization holds

The NIST Cybersecurity Framework helps organizations overcome their information security management system (ISMS) implementation challenges. It recommends that organizations refer to ISO 27001, along with other standards. ISO 27001 is issued by the International Organization for Standardization and describes ISMS best practices.

ISO 27001 is the only standard that organizations can officially certify to that is globally recognized. Achieving ISO 27001-accredited certification from an independent, qualifying body shows that you are taking the right measures to protect consumer data and the systems that maintain it, while effectively managing data breach events.

IT Governance offers a training program that combines the ISO 27001 Foundation (CIS F) and Lead Implementer (CIS LI) courses, which will teach you the steps involved in planning, implementing, and maintaining an ISO 27001-compliant ISMS.

Book a place on our ISO27001 Foundation and Lead Implementer Combination Course for a 15% saving on the cost of the two separate courses.